Backroom to boardroom: The role of CISO is evolving

Although more CISOs now have a seat at the table, what they do once they get there varies dramatically. At a recent ITAC event in Toronto, Cisco’s CISO explained how to work with line-of-business managers, make security a priority and cut internal vulnerabilities.

Steve Martino is the chief information security officer (CISO) at Cisco, and in a blog post last year, he argued that the role of CISO is undergoing a massive transformation.

“Much like how the CIO’s role went through a decade of change, from running infrastructure operations to becoming a business enabler and senior leadership peer, the role of the CISO is following a similar journey,” he wrote. “(The CISO) is emerging from the backroom of IT to a much needed seat at the boardroom table.”

Citing Cisco’s own 2017 Annual Cybersecurity Survey, Martino said 35 per cent of cybersecurity professionals now report directly to their CEO or president.

Although more CISOs now have a seat at the table, what they do once they get there varies dramatically. After polling CISOs from 25 of the biggest enterprises in the world (including Cisco, Facebook and Eli Lilly), a recent Synopsys report concluded there are really four main CISO tribes:

Enabler – this CISO strikes a “deep balance” between the technical and the business sides of the coin

Technologist – focuses too much on technology at the expense of business goals; sees security as driven by threat rather than risk; doesn’t delegate enough

Compliance Officer – has strong business skills but aims only for bare minimum compliance vs. getting ahead of risk; constantly under-invests in security

Cost Counter – has strong technical skills but weak relationships with line of business (LOB); treats security as a budget-draining compliance exercise; understaffed and overwhelmed, this CISO focuses on ‘now’ with no future plan

Recognize anyone you know in those descriptions?

Martino was in Toronto recently to address the Information Technology Association of Canada (ITAC). So we asked him, of course, what advice he has for CISOs taking their newfound seat at the boardroom table.

“The one thing I would tell security people is to walk in someone else’s shoes,” he said. “Have that industry knowledge. Live in sales, live in marketing, live in engineering for a while before you become a CISO. If I don’t understand what the business is trying to do, I can’t understand that risk.”

Martino possibly had a smoother path to that enlightenment than most CISOs, since his pre-CISO roles included sales, marketing, management consulting, COO and VP of business operations positions at various tech firms.

“If you can’t do that because you’re already the CISO,” he added, “then surround yourself with those kinds of people. We often want to surround ourselves with people just like us. But it gives you an understanding of why the sales team wants to do that thing they want to do.”

Working with LOB units

Even if you’ve already boosted your business knowledge, it isn’t easy to get LOB’s attention on security matters. If you print off threat reports and drop them onto LOB managers’ desks, Martino said, the papers will probably end up in their garbage can. Instead, he boils things down to two simple metrics that are easily understandable and actionable for business managers.

Here’s how it plays out at Cisco. First, Martino’s security team assesses how many vulnerabilities each Cisco LOB unit has. Second, his team declares deadlines when each one of those risks must be resolved. This allows LOB managers to prioritize IT risks while still meeting their own business targets.

This deal, which Martino struck with his Cisco CIO, treats security as a shared yet clearly defined responsibility for both business and IT sides of the fence.

“The key,” said Martino, “was that my CIO was going to hold her VPs and managers accountable (for meeting the deadlines), not me.”

A year after he brokered this agreement with his CIO, Cisco cut its internal vulnerabilities by 64 per cent and increased on-time closure rates for those weak spots by 86 per cent.

Even with all of today’s AI-driven, automated cybersecurity tools at their disposal, CISOs have to engage in shifting conversations about who oversees those tools, and who’s responsible for how they get used.

Based on the Synopsys report findings, Martino probably fits into the Enabler CISO tribe. At his Toronto appearance, however, he said there’s one role he has no interest in playing.

“My job as a CISO is to balance risk. It’s not to stop people from doing things. I’m not the police.”